How to Authenticate Users with AWS Amplify, Cognito, and Azure Entra ID
Cognito user pools provide support for SAML-based identity providers, enabling seamless integration with enterprise identity systems. In this note, we’ll walk through the process of setting up authentication using AWS Amplify, Cognito, and Azure Entra ID.
Azure AD has been renamed to Microsoft Entra ID. For more details, visit the official page.
The authentication workflow involves integrating Cognito with Azure Entra ID via SAML. The following diagram, from the official documentation, visualizes the process.
Building Backend
Creating Azure Entra ID
Open the Azure portal and navigate to the Microsoft Entra ID section.
Select Add > Enterprise application from the menu.
Choose Create your own application and enter a name such as my-cognito-app. Select the option Integrate any other application you don't find in the gallery (Non-gallery).
Go to the Set up single sign on section and choose SAML as the method.
Once the SAML setup page appears, locate and copy the metadata URL. This will be used in the Cognito configuration.
Creating Cognito User Pool
Create a CloudFormation template:
- Attribute Mapping (Lines 33-35): The URLs for attribute mapping can be found in the metadata URL retrieved from Azure Entra ID.
- OAuth Scope (Line 51): The scope
aws.cognito.signin.user.adminis required for querying user information from frontend applications using Amplify.
AWSTemplateFormatVersion: 2010-09-09Description: Cognito user pool federated with Azure Entra ID
Parameters: Domain: Type: String Description: Cognito user pool domain CallbackURLs: Type: CommaDelimitedList Default: 'http://localhost:3000/' LogoutURLs: Type: CommaDelimitedList Default: 'http://localhost:3000/' MetadataURL: Type: String Description: SAML metadata url of your Azure Entra ID
Resources: CognitoUserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: cognito-federated-with-azure-entra-id
CognitoUserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: Domain: !Ref Domain UserPoolId: !Ref CognitoUserPool
CognitoUserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: AttributeMapping: email: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' name: 'http://schemas.microsoft.com/identity/claims/displayname' ProviderDetails: IDPSignout: true MetadataURL: !Ref MetadataURL ProviderName: azure-entra-id ProviderType: SAML UserPoolId: !Ref CognitoUserPool
CognitoUserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: AllowedOAuthFlows: - code AllowedOAuthScopes: - email - openid - aws.cognito.signin.user.admin AllowedOAuthFlowsUserPoolClient: true CallbackURLs: !Ref CallbackURLs LogoutURLs: !Ref LogoutURLs ClientName: public client SupportedIdentityProviders: - COGNITO - !Ref CognitoUserPoolIdentityProvider UserPoolId: !Ref CognitoUserPoolReplace <SAML_METADATA_URL> with the metadata URL copied earlier and deploy the stack using the following command:
aws cloudformation deploy \ --template-file cognito.yaml \ --stack-name amplify-with-cognito-and-entra-id \ --parameter-overrides Domain=$(uuidgen | tr "[:upper:]" "[:lower:]") MetadataURL='<SAML_METADATA_URL>'Updating Entra ID SAML Configuration
Check the User pool ID and the Cognito domain prefix in the Cognito management console.
Open the SAML settings in Azure Entra ID and begin editing.
Use the following values for the SAML configuration. Refer to the official documentation for more details.
- Entity ID:
urn:amazon:cognito:sp:<your user pool ID> - Reply URL:
https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse
Edit the Attributes and Claims to match your application requirements.
Click Add a group claim and select Groups assigned to the application.
To test the integration, create a new user in Azure Entra ID.
Click New user in the Azure portal.
Fill in the required fields (e.g., username and name).
Specify an email address for the user.
Skip the Assignments tab for now.
Finalize the process to create the user.
Assigning User to Application
Once the user is created, assign them to the application.
Select the my-cognito-app enterprise application.
Click Assign users and groups.
Select Add user/group and pick the user you created.
Building Frontend
Creating Application
This example uses Next.js. Generate the app with the following command and options:
npx create-next-app@latest✔ What is your project named? … amplify-with-cognito-and-entra-id✔ Would you like to use TypeScript? … Yes✔ Would you like to use ESLint? … Yes✔ Would you like to use Tailwind CSS? … Yes✔ Would you like to use `src/` directory? … Yes✔ Would you like to use App Router? (recommended) … Yes✔ Would you like to customize the default import alias (@/*)? … Yes✔ What import alias would you like configured? … @/*Change the working directory to the project root and install AWS Amplify with:
cd amplify-with-cognito-and-entra-idnpm i aws-amplifyCreating Dot Env File
Create a .env.local file in the root of your project with the following content. Replace the placeholders with your actual values:
NEXT_PUBLIC_USER_POOL_ID=<USER_POOL_ID>NEXT_PUBLIC_USER_POOL_CLIENT_ID=<USER_POOL_CLIENT_ID>NEXT_PUBLIC_USER_POOL_ID_PROVIDER=azure-entra-idNEXT_PUBLIC_OAUTH_DOMAIN=<DOMAIN_PREFIX>.auth.ap-northeast-1.amazoncognito.comUpdating Main Page
Update the src/app/page.tsx file with the following content to configure authentication and display user attributes:
'use client'
import { useEffect, useState } from 'react';import { Amplify } from 'aws-amplify';import { FetchUserAttributesOutput, fetchUserAttributes, getCurrentUser, signInWithRedirect, signOut } from 'aws-amplify/auth';
Amplify.configure({ Auth: { Cognito: { userPoolId: process.env.NEXT_PUBLIC_USER_POOL_ID as string, userPoolClientId: process.env.NEXT_PUBLIC_USER_POOL_CLIENT_ID as string, loginWith: { oauth: { domain: process.env.NEXT_PUBLIC_OAUTH_DOMAIN as string, scopes: [ 'email', 'openid', 'aws.cognito.signin.user.admin', ], redirectSignIn: ['http://localhost:3000/'], redirectSignOut: ['http://localhost:3000/'], responseType: 'code', }, }, }, },});
export default function Home() { const [attributes, setAttributes] = useState<FetchUserAttributesOutput>();
useEffect(() => { (async () => { try { await getCurrentUser(); const attributes = await fetchUserAttributes(); setAttributes(attributes); } catch (error) { await signInWithRedirect({ provider: { custom: process.env.NEXT_PUBLIC_USER_POOL_ID_PROVIDER as string } }); } })(); }, []);
return ( <div className='flex flex-col gap-2 max-w-sm mx-auto my-4'> <div className='flex gap-2'> <div>Sub:</div> <div>{attributes?.sub}</div> </div>
<div className='flex gap-2'> <div>Name:</div> <div>{attributes?.name}</div> </div>
<div className='flex gap-2'> <div>Email:</div> <div>{attributes?.email}</div> </div>
<button type="button" className="text-white bg-blue-700 hover:bg-blue-800 focus:ring-4 focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 me-2 mb-2 dark:bg-blue-600 dark:hover:bg-blue-700 focus:outline-none dark:focus:ring-blue-800" onClick={() => signOut()} > Sign out </button> </div> );}Testing
Start the development server with:
npm run devOpen http://localhost:3000/ in your browser. You will be redirected to a sign-in page.
After signing in, you can see the user attributes displayed in the app.
Verify that the user is created in the Cognito management console.
If no users are assigned to the enterprise application in Azure Entra ID, you will encounter the following error:
Cleaning Up
Clean up all the AWS resources provisioned during this example with the following command:
aws cloudformation delete-stack \ --stack-name amplify-with-cognito-and-entra-idManually delete the enterprise application and any created users in Azure.
